3

I am looking with Apache shrio framework. Looking at it authentication and authorization features can i build Identity server provider using shrio framework.

Is it possible to have features like,

  • Single Sign On
  • SAML support
  • Federation based on attributes

Do we need to write everything from scratch or shrio has some API's to handle such kind of features.

I read the documentation where they say about having SSO features based on Sharing of user session with multiple organizations . But i did not see any direct support API's to handle this.

To act as an IDP what shrio gives and what it does not support?

Please suggest.

Thanks, Sohan

Sohan
  • 6,252
  • 5
  • 35
  • 56

1 Answers1

1

Shiro is a security layer that sits in front of your application. It is a security framework for a (SP) Service Provider that will issue an Authentication Request to your IdP (Identity Provider).

Open source IdP implementations that support SAML:

http://www.gluu.org/docs/

https://shibboleth.net/

This Stack Overflow question covers a way to use SAML to authenticate your user before they reach the application and provide the user's credentials as part of a http header.

Integrating Java Web App with SAML SSO

An alternative to installing and maintaining your own IdP.

https://stormpath.com/

The cost of developing, securing, and maintaining your own identity provider are likely much higher than paying a monthly fee.

Community
  • 1
  • 1
justin.hughey
  • 1,246
  • 15
  • 16
  • Stormpath sounds good but since it cloud based it does not fit with my product architecture. Still do this stormpath supports SAML protocol? – Sohan Apr 24 '15 at 06:20
  • "since it cloud based it does not fit", I have been there. Stormpath doesn't directly support SAML but they provide architectural guidance if you wish to implement it. – justin.hughey Apr 24 '15 at 12:44
  • 2
    Also, if you do plan on using Shiro as an Identity Provider take a look at the following project. https://github.com/bujiio/buji-pac4j – justin.hughey Apr 24 '15 at 12:45
  • Similar thing i was looking for. Sounds Interesting. Main feature i am looking at SAML support. From high level i can say this project supports SAML right? +1 for answer and comment. – Sohan Apr 24 '15 at 14:04
  • "It supports these 6 authentication mechanisms on client side: ... SAML (2.0)", yes. – justin.hughey Apr 24 '15 at 14:56
  • I realized re-reading our conversation that it may be inaccurate for what you are attempting. Specifically, were you intending to handle a call from a Service Provider into an Identity Provider where the Identity Provider is Shiro? – justin.hughey Apr 24 '15 at 15:38
  • I'm going to update this answer Apache Shiro should not be used as the "Identity Provider". I misunderstood the definition of how "identity provider" was being used in the context. – justin.hughey Apr 24 '15 at 16:23
  • Yes, identify provider is shiro. Why you think it won't be helpful. The project I saw can be useful as a reference. What you think? – Sohan Apr 25 '15 at 17:15
  • Can you tell me what it is lagging? – Sohan Apr 27 '15 at 05:16
  • Shiro would be the client side of the equation. It would be a asking for SAML credentials not providing them. – justin.hughey Apr 27 '15 at 14:00
  • I saw project and i can see it support different authentication providers. If i want to integrate salesforce authentication support, i can just plugin or write wrapper around buji-pac4j . When i create my IDP i will be looking at integration with different auth providers and basic authentication as well. Since this is al happening on simple serveltsi can turn this to run into an simple idp server with my data store at backend. My IDP reuqiremnts are very basic for now. Like support SAML or basic authentication, session management and replication for session failver and simple LDAP data store – Sohan Apr 27 '15 at 14:07
  • Yes, Salesforce would be acting as the IdP and you'd use Shiro + buji-pac4j (or another SAML client) to authenticate (see link below). https://help.salesforce.com/HTViewHelpDoc?id=identity_provider_about.htm&language=en_US – justin.hughey Apr 27 '15 at 15:41
  • What I think you need is this: 1) LDAP server for credentials 2) GLUU server as IdP to provide protocols (SAML, OAuth, etc) 3) Shared Cache for sessions (EhCache, Redis, Memcached, etc) – justin.hughey Apr 27 '15 at 16:38
  • Right.. this is exactly my design is.. simple and very low level IDP avoiding all complex things around the world, since most of companies hardly require all stuff from IDP provider – Sohan Apr 28 '15 at 05:29